Skip to content

Improve Your Digital Security by Planning Ahead

Kris Burkhardt discusses how to plan ahead for better digital security.

Almost every business relies on some kind of software, whether it’s for scheduling, payments, customer information, or something else. And for individuals, we do our banking, shopping, socializing, and even work and school through and with software tools. But that can put us at risk. To improve our digital security, we need to know where our information is stored, what happens if it’s hacked or we can’t access it, and what our plan is if that happens.


See Safety Can’t Be an Afterthought by Kris Burkhardt for a complete transcript of the Easy Prey podcast episode.

Krus Burkhardt is the Chief Information Security Officer (CISO) at Accenture, a large global IT strategy company. His role is to keep Accenture’s employees, clients, and clients’ data safe. It’s a big challenge for a large organization – Accenture has nearly 800,000 employees. A core part of what he does is preparedness and behaviors, making sure people aren’t paranoid but are still prepared tospot scams.

Anyone can Get Caught

Everybody gets targeted by scams and phishing. That includes Kris. To his knowledge, he’s never been caught by a real scam or phishing attempt. But he has failed phishing tests. Like many companies, Accenture’s security team runs phishing tests. For Kris, it was a classic situation where you’re vulnerable to a scam – he was in a hurry and reading the email on his mobile device. The email said the company was giving him a free Fitbit, and he believed it. He had just been reading about how some life insurance and health insurance companies offer discounts for meeting certain metrics. And he had also just learned that Accenture had a program providing an insurance discount for a healthier lifestyle. His brain connected the thoughts, and he clicked.

Luckily for him, it was a phishing test that his team put out and not a real phishing email. Kris doesn’t like the word fail, because it’s such a strong word. But when you don’t get these things right, it’s a good reminder to slow down and pay more attention. Digital security relies on a healthy skepticism when you’re reading emails. We live in a highly connected digital society, and we have to have a filter on at all times. Perfect security requires no mistakes, and that’s not really possible. Hopefully, all the mistakes are small.

You’ve got to have an industrial strength filter that’s always on all the time. No mistakes allowed.

Kris Burkhardt

Digital Security is Interconnected

Recently, software company CDK went down due to a digital security incident. CDK isn’t an Accenture product, but this example demonstrates how when something goes down, it can impact other things in unexpected way. CDK is a software that’s in about 15,000 car dealerships out of about 20,000 total dealerships in the United States. It has huge market penetration. Most car dealers aren’t software experts. They rely on companies like CDK for that.

There’s a lot of good things about these software-as-a-service providers. You don’t have to maintain equipment, worry about backups, or anything because they handle all of it for you. It’s a really great thing – at least until it goes down.

Many small businesses rely on these software-as-a-service providers because there’s so much good about them.

Kris Burkhardt

CDK provides software packages for dealerships. Without this software, it’s significantly harder to buy a car, and you can’t schedule service or do many other things. Most of the dealerships affected by this outage didn’t have disaster recovery plans. They weren’t thinking about how to keep their business running without this software. It underlies how important it is to have plans and ensure your software providers have these plans for you.

Strong digital security requires a plan in advance.

This isn’t specific to big industries like car dealerships, either. Restaurants use software like OpenTable for reservations. If that goes down, they don’t know who has reservations. There’s probably no industry that doesn’t rely on software-as-a-service for something. Even for individuals, tools like Gmail, G Suite, OneDrive, and Dropbox are the same thing. What happens to your life if those go down?

The Big Concern with Digital Security

What really keeps Kris up at night around digital security is how big it is. Cloud service providers have to get everything right all the time and the defenders have to defend well. There’s lots of steps for defense in depth. They have to assume that one or two things will fail. The best analogy is the holes in Swiss cheese – the best way to keep all the holes from lining up and something getting through is to have multiple layers.

So many assets are cloud-based these days. Employee email inboxes, SharePoint sites with confidential documents, financial systems, they’re all at risk. Protecting businesses and people means defending against all attacks on these assets and making sure they’re secure all the time. There are all kinds of different variations on cloud-based technology. Each has its own vulnerabilities and needs its own protection. Kris has some sympathy for the CDKs of the world when incidents happen. It’s hard to stay ahead and keep things secure all the time.

Businesses Need Plans

If you look at how a business is going to manage their digital security, they first have to have the right tools and framework to measure and correct their vulnerability. They have to understand what tech they’re using and have the right tooling so they can make sure it’s configured properly and they keep up with patches.

It’s also important to have a good business resilience plan. What happens if your company gets hit by ransomware? You have to have an immutable backup. An essential step for digital security is to know what systems are critical, what needs to be restored first, and what are acceptable timeframes to restore them. For a company like Accenture, they report financials once a quarter. Depending on where the attack hits, a few days down might be okay. For a company like Amazon, if something hits their main website they’re losing millions. The restoration is essential.

People … don’t always understand their exposure to technology, and they don’t understand the outsized impact it can have.

Kris Burkhardt

People often don’t understand how much they’re exposed to tech. A digital security issue can have a major impact on businesses, even those that aren’t “tech-based”. Because all businesses these days are relying on some kind of tech. Do you have backups? Do you know how they work? Some businesses have their systems backed up but have no idea how to restore from backup. These things are all essential.

Deepfakes and Social Engineering

Another of Kris’s major concerns is people’s resistance to social engineering. There are a lot of aspects of it, from simple email phishing and criminals trying to get you to give up your credentials or send money all the way to election influencing and deepfakes of political candidates. Kris worries about our ability to resist these frauds. It’s sometimes very easy to manipulate people. Kris and his team spend a lot of time on that, and how to identify social engineering and verify information through other channels, in their trainings.

I worry about our collective ability to really identify [deepfakes] and be resistant to non-facts.

Kris Burkhardt

Accenture has even been targeted by social engineering attacks. At one point, a threat actor attempted to convince one of their senior finance people to make a payment. They caught this person at the airport between flights – they were distracted and more accepting than they usually would be. The criminals created a deepfake of Accenture’s CEO, Julie Sweet. They sent a WhatsApp message, then followed it up with a fake voice recording. In addition, they registered the UK version of a real law firm Accenture works with to create a real-looking email address. The deepfake version of Julie then set up a Zoom meeting between the senior finance person and the scammer pretending to be from the law firm. They had a discussion about sending a lot of money.

Fortunately, the senior finance person was just paranoid enough to decide this didn’t make sense. They didn’t send the payment and instead brought the issue to the attention of Kris and Accenture’s legal team. The attack was clever, the threat actor was convincing, and the Julie Sweet deepfake was convincing. Training and innate thoughtfulness prevented a problem.

An Appropriate Level of Skepticism

The senior finance person in this situation was aware enough to know that this wasn’t the way Julie usually handled things and the situation didn’t seem as urgent as they were trying to make it. Between the deepfake and the convincing email, it was a good scam. The solution was an appropriate level of skepticism. Kris has seen some colleagues get overly paranoid about stuff. In the future, it may be that unless your boss physically walks into the room, we may need to assume it’s a deepfake.

Kris spent the first half of his career in tech, and his natural instinct is to ask for tech solutions to these problems. And we are getting there. Big companies like Microsoft and Google are developing identity verification solutions that will make a difference in digital security. As we move towards a new future in tech, it’s going to be harder to take on a new identity or pretend to be somebody else online.

People are also getting better at using tools to spot likely deepfakes and confirming through alternate means. We’ll probably see more of that. Kris may be optimistic, but he also thinks that kids growing up with this are probably more cautious by nature because they grew up in a tech world. Scams have been going on since the beginning of time, tech has just made it easier. We’re clever and we’ll figure it out.

We must also hold large tech companies accountable for making it better. They’ve given us the wonderful gift of a digital society, which is great. You can argue whether or not it’s healthy. But they owe us some security to go along with it. We may not get there as quickly as we want, but digital security will improve.

They may not get there as fast as you or I want, but over time, I think things will definitely improve.

Kris Burkhardt

Guardrails Show Up After the Problem

As with most things, guardrails and protections tend to show up only after people realize there’s a problem. CISA, a U.S. government agency, recently put out a public report. A cyber safety review board went over a recent Microsoft breach and had specific questions for the company and other cloud providers about identity, resilience, transparency, and reporting.

Kris thinks guardrails are coming. For cloud service providers, and most vendors, there’s an incentive to get good products out fast. Digital security has long been an afterthought. But if you think about cars, we didn’t get seat belts for a long time after they were invented. Airbags came along later still. The same is probably true here, as well. They are coming. In the meantime, Kris is looking forward to digital security airbags.

Safety for a long, long time has been an afterthought.

Kris Burkhardt

The Deepfake Problem in Digital Security

In some ways, it feels like you’re not allowed to talk about digital security without mentioning AI anymore. AI will power a lot of things when it comes to security. But the initial balance of power leans towards the bad guys. An AI-generated phishing attack personally tailoring each message to each of the 10,000 targets is much more powerful than then generic spam email blasts of ten years ago.

AI-generated deepfakes will get better, too. Kris worries about individually-tailored deepfakes. He heard about a deepfake phone call where someone called a couple with a deepfake of their child’s voice saying the child was in trouble and needed money. That’s a powerful attack, and we’re going to see more of that. And what happens when you give an AI a bunch of vulnerabilities to try against a particular company’s cloud infrastructure? It’s an attack made easier and faster by AI.

AI and deepfakes are going to make digital security harder.

Deepfakes are only getting better. Kris knows several companies who do deepfake detection. A good use case is a call center for a bank’s high net worth clients. They’re trying out the detection software with some success. It’s turning into a deepfake arms race. We’re working hard to detect the deepfakes, and criminals are working just as hard to build deepfakes that outsmart the deepfake detectors.

Deepfake Protection

The best way to boost your digital security against deepfakes is to go back to the fundamentals. Is this normal behavior for the person calling you? How can you verify in another way? In business, people need to follow normal payment processes, not take the caller’s word for things.

It’s going to take some time for people to develop their own guardrails and become resistant to these tricks. We all need to develop a better sense of normal. If something isn’t normal, even if it’s not concerning, it’s time to be suspicious.

It comes back to digital identities being important. Accenture recently went passwordless – most employees use their face, thumbprint, or PIN unique to the device to unlock it instead of a password. We’re going to see that in tech much more broadly to protect digital security. Microsoft, Google, and Apple have all released passkeys.

We’ve worked hard as a culture to remove friction. It might be time to add some friction back. People often feel that efficiency and security are an either-or proposition. Whether or not that’s accurate, we have to recognize that there’s a place for security in transactions. We shouldn’t view it as negative just because it slows down a little bit. It’s reasonable to slow down for identity verification and security if we need to.

Rightly or wrongly, people feel that there’s a trade-off between efficiency and security.

Kris Burkhardt

Steps to Protect Your Digital Security

99.9% of airplanes land safely. But nobody wants to be on the 0.1% of planes who don’t. It’s the same principle with digital security. Getting it right 99.9% of the time is great, but you want to be prepared for that 0.1% of times you don’t.

The general ideas across the board are prevent, detect, and respond. There’s a lot of defensive steps you can do. Have lots of layers so your Swiss cheese holes don’t line up. Once you get there, you need to be able to detect problems quickly. Companies often have tight monitoring, whether it’s log monitoring or actual gents on computers. They probably have automated alerts, and sometimes even automated responses to incidents. For consumers, monitoring is just as important. Regularly monitor your critical accounts, whether those are email accounts or bank accounts. You want to know if something is going wrong earlier than later.

The last step is to have responses set up. As a business, you need to know exactly what you’re going to do if you get hit with ransomware so you can respond right away. As a customer, you might have a response that if you see something weird in your bank account, you pick up the phone and call the bank. Have a plan ahead of time, and practice. Even if it’s a tabletop exercise and you don’t actually do anything, you need to know exactly what you’ll do in the situation.

Finally, as deepfakes get more popular, it’s a good idea to have a code word with your family and friends. Choose a code that a criminal isn’t likely to guess. And make sure to talk to your parents, especially if they’re older, and help them get ahead of these challenges.

You can connect with Kris Burkhardt on LinkedIn or by email at [email protected].

Related Articles

All
  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking Basics: Learn How Networks Work
  • Online Privacy
  • Online Safety
Amitabh Sinha talks about how to protect against ransomware in your company.

Protect Against Ransomware by Planning for Ransomware

Ransomware is a huge cybersecurity threat, and it’s only growing. It’s especially a risk for businesses, but…

[Read More]
Private Internet Access

PIA: Private Internet ACCESS

The Private Internet ACCESS VPN will deliver the security, performance, and online access most users want. Behind...

[Read More]
What is spyware? It may be watching you right now...

Everything You Need to Know about Spyware, the Malware that Stalks Your Online Activity

Spyware may sound like something James Bond or another secret agent might use in the latest spy…

[Read More]
Carey Parker talks about how to protect your privacy online and why you should care in the first place.

Easy, Non-Technical Ways to Protect Your Privacy Online (And Why You Need To)

We all use technology at some point in our lives. Sometimes that technology is as simple as…

[Read More]
ExpressVPN

ExpressVPN

ExpressVPN has long had the reputation of being one of the best, fastest, and most secure VPNs…

[Read More]
Gmail Confidential Mode is a step towards email privacy, but it's not a perfect solution.

Gmail Confidential Mode: Useful but Imperfect for Email Privacy

Email is a tool that most of us use every day – sometimes all day. And while…

[Read More]